CDR privacy safeguards

On this page

  • What are the 13 CDR privacy safeguards
  • Overview of each of the privacy safeguards

The Consumer Data Right (CDR) is designed to keep your data secure and protect your privacy.

The CDR privacy safeguards in the Competition and Consumer Act 2010 set out your privacy rights and the strict obligations on businesses collecting and handling your data.

There are 13 legally binding privacy safeguards.

1: Open and transparent management of data

Businesses must have procedures and systems in place to ensure they meet their privacy obligations under the Consumer Data Right. This includes having a clearly expressed and up-to-date CDR policy about how they manage your data.

2: Anonymity and pseudonymity

Accredited businesses must provide you with the option to not identify yourself or allow you to use a pseudonym.

There are some exceptions to this. For example, when it is not practical for the business to deal with a consumer who has not identified themselves or has used a pseudonym, or if a law or a court order requires that they deal with an identified consumer.

3: Seeking to collect data

Accredited businesses can only collect your data from another business if they have your express consent. They must not seek to collect data beyond what they need to provide the product or service to you or for a longer time period than is necessary.

4: Dealing with unsolicited data from participants

Accredited businesses must destroy any data they receive without your consent, unless a law or court order requires it to be retained.

5: Notification of collection

Accredited businesses must notify you through your consumer dashboard when they collect your data.

A consumer dashboard is an online service that enables you to see and manage your consents for the collection, use and disclosure of your data. It can be built into existing online portals or mobile apps and must be provided by all businesses participating in the Consumer Data Right.

6: Use or disclosure of data

Businesses can use or disclose your data only where required or authorised under the Consumer Data Right and only with your consent, unless otherwise required by a law or a court order.

7: Direct marketing

Your data can’t be used for direct marketing unless you consent and it is allowed under the CDR Rules.

8: Overseas disclosure of data

Accredited businesses must not send your data overseas, unless an exception applies. For example, if the business receiving your data overseas is also accredited under the Consumer Data Right system.

9: Adoption or disclosure of government identifiers

Accredited businesses cannot adopt, use or disclose a government-related identifier, such as a Medicare or Australian passport number, unless required or authorised under another law, court order or privacy regulation.

10: Notification of disclosure

When a business discloses your data to another business, they must notify you by updating your consumer dashboard.

11: Quality of data

Businesses must ensure the quality of your data. They must inform you if incorrect data is disclosed and they must provide the corrected data to the recipient on your request.

12: Security of data and the handling of redundant data

Accredited businesses must meet strict information security requirements. This includes ensuring your data is protected from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.

Any data that is no longer needed for a permitted purpose must be deleted or de-identified, unless an exception applies.

13: Correction of data

Businesses must respond to data correction requests and take steps to correct or add a qualifying statement to the data to ensure the data will not be misinterpreted. They must notify you when they have done so or explain why a correction or statement is unnecessary or inappropriate.